Geographical vulnerability mitgation response mapping system

ABSTRACT

Systems and methods for geographically mapping a vulnerability of a network having one or more network points include receiving vulnerability information identifying a vulnerability of a point of the network, correlating the vulnerability information with location information for the identified network point, and network identification information for the identified network point, and generating a map displaying a geographical location of the vulnerability.

This application is a continuation of, and claims the benefit ofpriority to, application Ser. No. 10/916,872, filed Aug. 12, 2004 nowU.S. Pat. No. 8,082,506 (now allowed), which is incorporated herein byreference in its entirety.

FIELD

This invention relates to a system and method to geographically mapinternal sources of cyber or digital security vulnerabilities in near orpost real time for a physically focused mitigation response.

BACKGROUND

When a vulnerability in computer or telecommunications systems isproactively discovered to have a potential impact on an environment,response resources must be directed to a physical location. In practice,this requires extensive efforts to correlate existing threatinformation, router traffic information and physical location of therouter, dramatically reducing response time. For example, today, mostresponses to a vulnerability require manual review of TCP/IP switchinformation, manual drawing of network “maps” and, most importantly,trying to mitigate a vulnerability in a sequential or businessprioritization order while these efforts are being undertaken. Theseresponse schemes do not allow for an organization's management to easilyidentify the geographical location of the problem(s) and the location(s)at which resources are most needed. Furthermore, current responseschemes do not allow an organization's response or management teamtimely access to geographical view(s) of the location of thevulnerabilities together with information relating to the status orprogress of the response to the vulnerability.

SUMMARY

Consistent with the invention, systems and methods for geographicallymapping a vulnerability of a network having one or more network pointsinclude receiving vulnerability information identifying a vulnerabilityof a point of the network, correlating the vulnerability informationwith location information for the identified network point, and networkidentification information for the identified network point, andgenerating a map displaying a geographical location of thevulnerability.

Additional objects and advantages will be set forth in part in thedescription which follows, and in part will be obvious from thedescription, or may be learned by practice of the invention. The objectsand advantages will be realized and attained by means of the elementsand combinations particularly pointed out in the appended claims.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are incorporated in and constitute apart of this specification, illustrate several embodiments of theinvention and together with the description, serve to explain theprinciples of the invention.

FIG. 1 is a block diagram of an exemplary environment in which thesystems and methods of the present invention may be implemented;

FIG. 2 is a block diagram of an exemplary embodiment of a mappingcomputer;

FIG. 3 is a flowchart of an exemplary method for geographically mappingresponse information;

FIG. 4 is an exemplary screenshot of a vulnerability database containingvulnerability information;

FIG. 5 is an exemplary screenshot of records in an ARP database;

FIG. 6 is an exemplary screenshot of records in a location database;

FIG. 7 is an exemplary screenshot of records in a map databasecontaining information for mapping vulnerabilities;

FIG. 8 is an exemplary screenshot of a map geographically mappingvulnerabilities consistent with the present invention; and

FIG. 9 is a flowchart showing an exemplary method for updating ageographic map with progress information.

DESCRIPTION OF THE EMBODIMENTS

Reference will now be made in detail to the exemplary embodiments,examples of which are illustrated in the accompanying drawings. Whereverpossible, the same reference numbers will be used throughout thedrawings to refer to the same or like parts. It is to be understood thatboth the foregoing general description and the following detaileddescription are exemplary and explanatory only and are not restrictiveof the invention, as claimed.

As used herein, an “intrusion” is an unauthorized use, attempt, orsuccessful entry into a digital, computerized, or automated system,requiring a response from a human administrator or response team tomitigate any damage or unwanted consequences of the entry. For example,the introduction of a virus and the unauthorized entry into a system bya hacker are each “intrusions” within the spirit of the presentinvention. An “intrusion response” is a response by administrators orhuman operators to mitigate damage from the intrusion or prevent futureintrusions. One of ordinary skill in the art will recognize that, withinthe spirit and scope of the present invention, “intrusions” of manytypes and natures are contemplated.

In addition, as used herein, a “vulnerability” is a prospectiveintrusion, that is, a location in a digital, computerized, or automatedsystem, at which an unauthorized use, attempt, or successful entry ispossible or easier than at other points in the system. For example, aspecific weakness may be identified in a particular operating system,such as Microsoft's Windows™ operating system when running less thanService Pack 6. Then, all computers running the Windows operating systemwith less than Service Pack 6 will therefore have this vulnerability.One of ordinary skill in the art will recognize that this and othervulnerabilities may be identified by commercially available softwareproducts. While methods of locating such vulnerabilities are outside thescope of the present invention, one of ordinary skill in the art willrecognize that any of the vulnerabilities identified or located by suchsoftware products, now known or later developed, are within the spiritof the present invention.

In addition, as used herein, a “mitigation response” is the effortundertaken to reduce unwanted consequences or to eliminate thepossibility of a vulnerability or intrusion. For example, such aresponse may entail sending a human computer administrator to the siteof the location to update software, install anti-virus software,eliminate a virus, or perform other necessary tasks. In addition, aresponse may entail installing a patch to the vulnerable computer, suchas across a network. One of ordinary skill in the art will recognizethat the present invention does not contemplate any specific responses.Instead, any response to a vulnerability or intrusion requiring theorganization of resources is within the scope and spirit of the presentinvention.

For the ease of discussion, the following discussion will discuss thesystems and methods of the present invention in terms of mapping“vulnerabilities”. However, these same systems and methods are equallyapplicable to mapping “intrusions”.

FIG. 1 is a block diagram of one exemplary environment in which thesystems and methods of the present invention may be implemented. Asshown in FIG. 1, system 100 employs mapping computer 102. In addition,system 100 may also employ databases such as vulnerability database 104,Address Routing Protocol (ARP) database 106, location database 108, andmap database 110, each in electronic communication with mapping computer102. System 100 also includes a display 114, such as a video display,for displaying the geographic information correlated and mapped bycomputer 102 using the methods discussed herein, and a network 112 inelectronic communication with computer 102, in which the intrusions andvulnerabilities may occur.

In one embodiment, vulnerability database 104 may contain informationidentifying a vulnerability in the system, such as, for example, thevulnerability type, description, and impacted device, such as an IPAddress of the impacted device (i.e., network point or computer). ARPdatabase 106 may contain network location or identification informationsuch as the IP and/or MAC address for one or more network pointsrepresenting an impacted device (i.e., network point or computer).Location database 108 may contain geographical information such as thephysical address or GPS coordinates of a potential point of entry.Finally, map database 110 may correlate and contain information from thevulnerability, ARP, and location databases as described below to map thevulnerabilities.

FIG. 2 is a block diagram illustrating an exemplary mapping computer 102for use in system 100, consistent with the present invention. Computer102 includes a bus 202 or other communication mechanism forcommunicating information, and a processor 204 coupled to bus 202 forprocessing information. Computer 102 also includes a main memory, suchas a random access memory (RAM) 206, coupled to bus 202 for storinginformation and instructions during execution by processor 204. RAM 206also may be used for storing temporary variables or other intermediateinformation during execution of instructions to be executed by processor204. Computer system 102 further includes a read only memory (ROM) 208or other storage device coupled to bus 202 for storing staticinformation and instructions for processor 204. A mass storage device210, such as a magnetic disk or optical disk, is provided and coupled tobus 202 for storing information and instructions.

Computer 102 may be coupled via bus 202 to a display 212, such as acathode ray tube (CRT), for displaying information to a computer user.Display 212 may, in one embodiment, operate as display 114.

Computer 102 may further be coupled to an input device 214, such as akeyboard, is coupled to bus 202 for communicating information andcommand selections to processor 204. Another type of user input deviceis a cursor control 216, such as a mouse, a trackball or cursordirection keys for communicating direction information and commandselections to processor 204 and for controlling cursor movement ondisplay 212. Cursor control 216 typically has two degrees of freedom intwo axes, a first axis (e.g., x) and a second axis (e.g., y), whichallow the device to specify positions in a plane.

According to one embodiment, computer 102 executes instructions forgeographic mapping of vulnerability or intrusion information. Eitheralone or in combination with another computer system, computer 102 thuspermits the geographic mapping of one or more vulnerabilities inresponse to processor 204 executing one or more sequences ofinstructions contained in RAM 206. Such instructions may be read intoRAM 206 from another computer-readable medium, such as storage device210. Execution of the sequences of instructions contained in RAM 206causes processor 204 to perform the functions of mapping computer 102,and/or the process stages described herein. In an alternativeimplementation, hard-wired circuitry may be used in place of, or incombination with software instructions to implement the invention. Thus,implementations consistent with the principles of the present inventionare not limited to any specific combination of hardware circuitry andsoftware.

The term “computer-readable medium” as used herein refers to any mediathat participates in providing instructions to processor 204 forexecution. Such a medium may take many forms, including but not limitedto, non-volatile, volatile media, and transmission media. Non-volatilemedia includes, for example, optical or magnetic disks, such as storagedevice 210. Volatile media includes dynamic memory, such as RAM 206.Transmission media includes coaxial cables, copper wire and fiberoptics, including the wires that comprise bus 202. Transmission mediamay also take the form of acoustic or light waves, such as thosegenerated during radio-wave and infra-red data communications.

Common forms of computer-readable media include, for example, a floppydisk, flexible disk, hard disk, magnetic tape, or any other magneticmedium, CD-ROM, any other optical medium, punch cards, paper tape, anyother physical medium with patterns of holes, RAM, PROM, EPROM,FLASH-EPROM, any other memory chip or cartridge, carrier wave, or anyother medium from which a computer may read. For the purposes of thisdiscussion, carrier waves are the signals which carry the data to andfrom computer 102.

Various forms of computer-readable media may be involved in carrying oneor more sequences of one or more instructions to processor 204 forexecution. For example, the instructions may initially be carried on themagnetic disk of a remote computer. The remote computer may load theinstructions into a dynamic memory and send the instructions over atelephone line using a modem. A modem local to computer 102 may receivethe data on the telephone line and use an infra-red transmitter toconvert the data to an infra-red signal. An infra-red detector coupledto bus 202 may receive the data carried in the infra-red signal andplace the data on bus 202. Bus 202 carries the data to main memory 206,from which processor 204 retrieves and executes the instructions. Theinstructions received by main memory 206 may optionally be stored onstorage device 210 either before or after execution by processor 204.

Computer 102 may also include a communication interface 218 coupled tobus 202. Communication interface 218 provides a two-way datacommunication coupling to a network link 220 that may be connected tonetwork 112. Network 112 may be a local area network (LAN), wide areanetwork (WAN), or any other network configuration. For example,communication interface 218 may be an integrated services digitalnetwork (ISDN) card or a modem to provide a data communicationconnection to a corresponding type of telephone line. Computer 102 maycommunicate with a host 224 via network 112. As another example,communication interface 218 may be a local area network (LAN) card toprovide a data communication connection to a compatible LAN. Wirelesslinks may also be implemented. In any such implementation, communicationinterface 218 sends and receives electrical, electromagnetic or opticalsignals that carry digital data streams representing various types ofinformation.

Network link 220 typically provides data communication through one ormore networks to other data devices. In this embodiment, network 112 maycommunicate with an Internet Service Provider (ISP) 226. For example,network link 220 may provide a connection to data equipment operated bythe ISP 226. ISP 226, in turn, provides data communication services fromanother server 230 or host 224 to computer 102. Network 112 may useelectric, electromagnetic or optical signals that carry digital datastreams.

Computer 102 may send messages and receive data, including program code,through network 112, network link 220 and communication interface 218.In this embodiment, server 230 may download an application program tocomputer 102 via network 112 and communication interface 218. Consistentwith the present invention, one such downloaded applicationgeographically maps vulnerability or intrusion information, such as, forexample, by executing methods 300 and/or 900, to be described below. Thereceived code may be executed by processor 204 as it is received and/orstored in storage device 210, or other non-volatile storage for laterexecution.

Although computer system 102 is shown in FIG. 2 as connectable to server230, those skilled in the art will recognize that computer system 102may establish connections to multiple servers on Internet 228 and/ornetwork 112. Such servers may include HTML-based Internet applicationsto provide information to computer system 102 upon request in a mannerconsistent with the present invention.

Returning to FIG. 1, display 114 may, in one embodiment, be implementedas display 212 (FIG. 2), directly connected to computer 102. In analternative embodiment, display 114 may be connected to computer 102 vianetwork 112. For example, display 114 may be a display connected toanother computer on network 112, or may be a stand-alone display devicesuch as a video projector connected to computer 102 via network 112.

In addition, databases 104, 106, 108, and 110 may each reside withincomputer 102 or may reside in any other location, such as on network112, so long as they are in electronic communication with computer 102.In one embodiment, ARP database 106 may be a technical table such as thetype typically resident in router points in a computer network, in whichinformation such as the MAC address, IP address and Router (IP/MACaddress) is kept.

In one embodiment, location database 108 is a static database in whichthe physical location of routers or network points is located. Suchlocation information may include router (IP/MAC) address, router (ornetwork point) physical address, and router (or network point)geographic locations, such as GPS coordinates. Accordingly, one ofordinary skill in the art will recognize that ARP database 106 andlocation database 108 may be kept in accordance with any now known orlater developed methods for implementing and maintaining ARP informationat router points, or physical location information, respectively.

In an alternative embodiment, databases 104, 106, 108, and 110, may beimplemented as a single database, or may be implemented as any number ofdatabases. For example, one of ordinary skill in the art will recognizethat system 100 may include multiple ARP databases, such as having onefor each router (not shown) in the system. Similarly, system 100 mayinclude multiple vulnerability, location, and map databases.Furthermore, in one embodiment, databases 104, 106, 108, and 110 may beimplemented as a single database containing all of the describedinformation. One of ordinary skill in the art will recognize that system100 may include any number (one or more) of databases so long as theinformation discussed herein may be retrieved and correlated asdiscussed herein.

Finally, databases 104, 106, 108, and 110 may be implemented using anynow known or later developed database schemes or database software. Forexample, in one embodiment, each of the databases may be implementedusing a relational database scheme, and/or may be built using MicrosoftAccess™ or Microsoft Excel™ software. While, more likely, one or moredatabases will be implemented to take into account other factors outsidethe scope of the present invention (for example, ARP database 106 mayrequire specific format or implementation dependent on the router withinwhich it resides), one of ordinary skill in the art will recognize thatany implementation (and location) of the present databases iscontemplated within the scope and spirit of the present invention.

FIG. 3 shows a method 300 for execution, such as by computer 102, forgeographic mapping of vulnerability information, consistent with thepresent invention. Method 300 begins by receiving vulnerabilityinformation, stage 302, such as from a computer administrator, as theoutput of software designed to detect or discover vulnerabilities, orfrom any other source. In one embodiment, the vulnerability information,may include an identification (such as the IP address) of the computerwhere the vulnerability exists, and the name and description of thevulnerability, among other information. Upon receipt of thevulnerability information, it is stored in vulnerability database 104,stage 304. FIG. 4 shows one embodiment of vulnerability information 400within vulnerability database 104.

Returning to FIG. 3, computer 102 then retrieves for computers (ornetwork points) at which a vulnerability exists, ARP information forthat computer (or network point) from ARP database 106, stage 306. Inone embodiment, the vulnerability information (such as the IP address)may be used as a key to retrieve the appropriate record from ARPdatabase 106. The ARP information may include the MAC address, androuter IP/MAC address or any other network address information of thenetwork point at which the vulnerability exists, as necessary. FIG. 5shows one exemplary embodiment 500 of the ARP information within ARPdatabase 106.

In addition, computer 102 may also retrieve geographic locationinformation for the computer at which the vulnerability exists, fromlocation database 108, stage 308. In one embodiment, the vulnerabilitydata (such as IP address) and/or the ARP data (such as the router IP/MACaddress) may be used as a key to identify a record corresponding to thelocation database record(s), corresponding to the vulnerable networkpoint. The location information retrieved may include such informationas the physical location (e.g., mailing address or GPS coordinates) forthe identified vulnerable network point or computer. FIG. 6 shows oneexemplary embodiment 600 of the location information within locationdatabase 108.

Once this information has been retrieved from databases 104, 106, and108, it is stored in map database 110, stage 310. Within map database110, the retrieved information is preferably correlated such that allinformation for a particular vulnerability is stored in a record forthat vulnerable device. For example, FIG. 7 shows an exemplaryscreenshot 700 of records in map database 110. As shown, map databaserecords 710 may contain the vulnerability information, the networkaddress (such as the IP or MAC address from ARP database 106), and thephysical location, such as the mailing address, or GPS information (fromlocation database 108). In addition, map database records 710 may alsoinclude a status of the vulnerability and an indication of the responseperson or team assigned to respond to the vulnerability.

Upon correlating this information within map database 110, computer 102then maps the location of the vulnerability, stage 312. In oneembodiment, the location information for each record is imported into acommercially available mapping program such as Microsoft Mapppoint™ tovisually locate the vulnerable points in the geographical representationof the company on a map. In one embodiment, the map may represent eachof the vulnerabilities as a symbol on the map, for example, as a “pushpin.” An exemplary map 800 using this push pin approach is shown as FIG.8. Within map 800, each pushpin 802, 804, shows the location of a pointof vulnerability requiring a response.

Using map 800, response teams or system administrators will be able toidentify “pockets” of vulnerabilities and will be able to betterprioritize and more efficiently schedule response personnel to respondand mitigate or eliminate the vulnerability, based on geographiclocation. For example, the color of the push-pin symbol, orrepresentation on the map, may be used to identify the quantity ofvulnerable points in an area on the map, allowing the administrators toidentify such “pockets.” In addition, the symbol (i.e., push-pin orother symbol) may be linked to the underlying data. In this manner, asystem user may, using an input device, select a symbol on the map toinitiate a display of data such as the vulnerability type, IP address,status of the response, or other information.

FIG. 9 shows a flowchart of a method 900 for updating the geographic mapwith progress information. Method 900 begins with a response team orsystem administrator sending an update to the system to advise of a newstatus of a vulnerability, stage 902. For example, the response team mayadvise the system that the vulnerable computer must be replaced, and berendered inactive until it is replaced, (i.e., the vulnerability is“open”) or may advise the system that the vulnerable computer has beenupgraded and is no longer vulnerable (i.e., the vulnerability if“fixed”).

Once this information is received, the map database record for theidentified vulnerability is updated, stage 904. For example, eachvulnerability record in the database may contain a field to identify thestatus of the vulnerability (see FIG. 7). Possible status indicators mayreflect that the vulnerability is “new,” “open” (i.e., not yet respondedto), “assigned to a response team,” “closed” (i.e., responded to andfixed), or any other status that may be of use to the organization forwhich the system has been implemented.

Once the map database record has been updated, map computer 102 canupdate map 800 to reflect the updated status of the vulnerability. Forexample, one way that map 800 can show the status information is todisplay color-coded push pin symbols to reflect the status. In oneembodiment, a red push pin may signify an “open” or “new” vulnerability,a yellow push pin may signify a vulnerability that has been assigned,but not yet fixed, and a green push pin may signify a closedvulnerability. By mapping this information together with the locationsof the vulnerabilities, administrators can better track the progress oftheir response teams, and more fluidly schedule responses to newvulnerabilities as they arise.

One of ordinary skill in the art will recognize that, while the presentinvention discusses the systems and methods for mapping vulnerabilitiesof a system, similar systems and methods may be utilized to mapintrusions to the system. For example, referring to FIG. 1, database 104may maintain intrusion information rather than vulnerabilityinformation. Using intrusion database 104, computer 102, through theexecution of methods 300 and 900, may geographically map intrusions andupdate the status of responses to those intrusions, such as is describedin U.S. patent application Ser. No. 13/342,146, entitled “GeographicalIntrusion Response Prioritization Mapping System,” filed concurrentlyherewith, the contents of which are hereby incorporated by reference inits entirety.

More specifically, with regard to FIG. 3, system 100 may receiveintrusion data, stage 302. This information may be received via anysource, for example, virus detection software, security softwaredesigned to detect unauthorized entry into the system, software designedto identify unauthorized attempts to communicate with a particular portnumber, or any other now known or later developed method of identifyingintrusions.

Once the intrusion information has been received, it is stored indatabase 104, stage 304. For each intrusion, computer 102 retrieves theARP information, and location information corresponding to the networkpoint at which the intrusion entered system 100, stages 306 and 308.This information may then be correlated in database 110, (FIG. 3, stage310). Finally, computer 102 may map the intrusions (FIG. 3, stage 312),and update the map as discussed above (see FIG. 9).

Other embodiments of the invention will be apparent to those skilled inthe art from consideration of the specification and practice of theinvention disclosed herein. It is intended that the specification andexamples be considered as exemplary only, with a true scope and spiritof the invention being indicated by the following claims.

What is claimed is:
 1. A computer-implemented method for displaying avulnerability of a network comprising one or more computers, the methodcomprising: receiving network vulnerability information identifying avulnerable computer in the network; determining a network address of theidentified vulnerable computer based on the received networkvulnerability information; determining a geographical location of theidentified vulnerable computer based on the determined network addressof the identified vulnerable computer; receiving mitigation responsestatus information indicative of a status of a mitigation response tothe identified vulnerable computer; providing a geographical mapincluding at least the geographical location of the identifiedvulnerable computer; providing a network vulnerability symbol on the mapdesignating the geographical location of the vulnerable computer; andgraphically distinguishing the network vulnerability symbol on the mapto indicate the status of the mitigation response.
 2. The method ofclaim 1, wherein the network vulnerability information includes anInternet Protocol (IP) address associated with the identified vulnerablecomputer.
 3. The method of claim 1, wherein the network address includesat least one of a media access control (MAC) address or a router addressassociated with the identified vulnerable computer.
 4. The method ofclaim 1, wherein: determining a network address includes looking up thenetwork address in a network address database using the receivedvulnerability information; and determining a geographical locationincludes looking up the geographical location in a geographical locationdatabase using the determined network address.
 5. The method of claim 1,further including storing, in a map database, a vulnerability record forthe identified vulnerable computer, the vulnerability record includingthe vulnerability information, the network address, the geographicallocation information, and the mitigation response status informationassociated with the identified vulnerable computer.
 6. The method ofclaim 1, wherein the status of the mitigation response includes new,open, assigned to a mitigation response team, or closed.
 7. The methodof claim 1, further including: receiving new mitigation response statusinformation indicating a new status of the mitigation response; andupdating the network vulnerability symbol on the map to indicate the newstatus of the mitigation response.
 8. A non-transitory computer-readablestorage medium storing instructions which, when executed by a computer,cause the computer to perform a method for displaying a vulnerability ofa network having one or more network points, the method comprising:receiving network vulnerability information identifying a vulnerablecomputer in the network; determining a network address of the identifiedvulnerable computer based on the received network vulnerabilityinformation; determining a geographical location of the identifiedvulnerable computer based on the determined network address of theidentified vulnerable computer; receiving mitigation response statusinformation indicative of a status of a mitigation response to theidentified vulnerable computer; providing a geographical map includingat least the geographical location of the identified vulnerablecomputer; providing a network vulnerability symbol on the mapdesignating the geographical location of the vulnerable computer; andgraphically distinguishing the network vulnerability symbol on the mapto indicate the status of the mitigation response.
 9. Thecomputer-readable storage medium of claim 8, wherein the networkvulnerability information includes an Internet Protocol (IP) addressassociated with the identified vulnerable computer.
 10. Thecomputer-readable storage medium of claim 8, wherein the network addressincludes at least one of a media access control (MAC) address or arouter address associated with the identified vulnerable computer. 11.The computer-readable storage medium of claim 8, wherein the methodfurther includes: determining a network address includes looking up thenetwork address in a network address database using the receivedvulnerability information; and determining a geographical locationincludes looking up the geographical location in a geographical locationdatabase using the determined network address.
 12. The computer-readablestorage medium of claim 8, wherein the method further includes storing,in a map database, a vulnerability record for the identified vulnerablecomputer, the vulnerability record including the vulnerabilityinformation, the network address, the geographical location information,and the mitigation response status information associated with theidentified vulnerable computer.
 13. The computer-readable storage mediumof claim 8, wherein the status of the mitigation response includes new,open, assigned to a mitigation response team, or closed.
 14. Thecomputer-readable storage medium of claim 8, wherein the method furtherincludes: receiving new mitigation response status informationindicating a new status of the mitigation response; and updating thenetwork vulnerability symbol on the map to indicate the new status ofthe mitigation response.
 15. A computer-implemented method forrepresenting vulnerabilities of a network comprising a plurality ofnetwork points, the method comprising: receiving, at a computer, networkvulnerability information identifying a plurality of vulnerablecomputers on the network; determining network addresses of theidentified vulnerable computers based on the received networkvulnerability information; determining geographical locations of theidentified vulnerable computers based on the determined networkaddresses of the identified vulnerable computers; receiving mitigationresponse status information indicative of statuses of mitigationresponses to the identified vulnerable computers; providing ageographical map including at least the geographical locations of theidentified vulnerable computers; providing network vulnerability symbolson the map designating the geographical locations of the vulnerablecomputers; and graphically distinguishing the network vulnerabilitysymbols on the map to indicate the respective statuses of the mitigationresponses to the vulnerable computers.
 16. The method of claim 15,wherein the network vulnerability information includes Internet Protocol(IP) addresses associated with the identified vulnerable computers. 17.The method of claim 15, wherein the network addresses include at leastone of media access control (MAC) addresses or a router addressesassociated with the identified vulnerable computers.
 18. The method ofclaim 15, wherein: determining network addresses includes looking up thenetwork addresses in a network address database using the receivedvulnerability information; and determining geographical locationsincludes looking up the geographical locations in a geographicallocation database using the determined network addresses.
 19. The methodof claim 15, further including storing, in a map database, vulnerabilityrecords for the identified vulnerable computers, the vulnerabilityrecords including the respective vulnerability information, networkaddresses, geographical location information, and mitigation responsestatus information associated with the identified vulnerable computers.20. The method of claim 15, wherein the status of the mitigationresponses include new, open, assigned to a mitigation response team, orclosed.
 21. The method of claim 15, further including: receiving newmitigation response status information indicating a new statuses of themitigation responses; and updating the network vulnerability symbols onthe map to indicate the new statuses of the mitigation responses.